The Washington Post and the New York Times both seem to have excellent engineering teams and both of their websites are in my opinion some of the best news sites that I've seen on the web. (Vox is also very nice in my opinion though they do not have ssl support apparently)
I would gladly pay a netflix-like subscription that gives me a "pass" to top news sites with no advertising. I just don't want to manage a dozen subscriptions to sites and it's difficult to choose between the different options that they offer like "tablet, web, paper" "web, paper" "tablet only" etc. Just take the difficulty away and give me access to the content in whatever format I want, with an addon fee for print delivery.
I said this on HN yesterday, but I'll repeat again since it's VERY relevant.
I'd like the subscription, as you mention too!
What I'd like even more (for voluntary payment) is a subscription that divvies up my monthly 'budget' according to the % of the time I spent on different sites. Say I spend 50% of my browsing time on Nytimes, 30% on HN and 20% on New Yorker, and my monthly allocated budget is $20. Then NYT gets $10, HN gets $6, NYer $4, etc.
Or perhaps, a monthly budget where the money is deducted for subscription sites, per article/time whatever. Once my budget is finished, I see 'normal' web like everyone else does.
I don't really care about ads, but maybe people who don't want to see ads could pay like, 2x as much, etc.
There doesn't seem to be a lot of innovation in this field. Perhaps it's the difficulty of integrating everything in one place?
Edit after reading the comments: Google contributor just removes ads instead of getting you 'special pass' right? Do the site owners get paid for the 'eyeballs' from the subscribers?
1.) there is an abundance of news sites in English
2.) there are not enough people who want to pay for news
3.) Google takes about 45% of all online global advertising
The situation is different for non-English publications. I know, for instance, there are limited number of fashion/news magazines aimed at women in Poland, and Polish women, all over the world, are willing to pay to support those magazines. So there are 5 or 6 fashion/news magazines in Polish that are doing well.
But in English? There are tens of thousands of such publications and there is not enough money for them all.
Sounds nice in theory, but I'd be concerned about having my reading habits tracked by yet another Central Scrutinizer. I already block ads mainly to avoid creepy and invasive behavior by the ad networks, as well as the malware that seeps through said networks. I am not going to opt-in to mass surveillance.
I think you underestimate how much you need to spend to counter the amount websites make on advertising.
I did a back-of-the-envelope-style calculation at one point (I can't recall my source data anymore now though), and basically you'd need to pay something like $120 a month for websites to end up with the same amount of cash as with ads.
120/month per user would be something along the lines of 1.3/visit (assuming ~3 articles on average every day of the month). That sounds very high?
I wonder how much such big organizations spend on selling advertising (I'm now conflating with the likes of NYT that has ads in its paper version etc). If one truly went for ad-free, one would of course let all the ad-selling staff go (or let them do something else).
Really the problem is that newspapers make very little online, even with high numbers of ads, compared to print.
It isn't cost effective to run an online-only newspaper (with all of the extraneous costs that go into producing "news", and not "blogs"). Thus, they have a strong incentive to crazy subscription models instead of streamlining everything.
I remember when Contributor was in an internal beta (back then I worked at Google). Initially there were no tiers. I recall being completely shocked at how high my 'budget' had to be to stop seeing just most ads, not even all of them. It was much, much higher than $10 per month.
When I looked at the per-site breakdown it was obvious why: I spent a lot of time on sites that advertisers were willing to pay a lot to be on, like (oddly enough) Slashdot. Presumably due to the affluent, IT-budget-controlling and very tightly defined audience. My eyeballs were literally worth a lot of money and to buy them back, would therefore cost a lot of money.
It was when I started to see those figures, and I wasn't even getting an ad free web, that I realised the whole dream of using micropayments to clear the web of advertising was a non starter. Hardly anyone is going to be willing to double or triple the price of their internet subscription just to get rid of some ads, some of the time. We really have no idea just how much the web economy relies on advertising to survive.
Presumably Contributor uses tiered budgets to avoid sticker-shock and people blowing through their budget in the first few days of the month. It makes sense but they can never get rid of all ads that way.
- It's too expensive. There is no way my ad impressions add up to $10 a month.
They do though. Online advertising is a ~$60 billion a year (domestic US) business undergoing very rapid ~50%/year growth rates (estimates vary wildly).
Over around 120 million households, that's about $42 per month per household.
Over 20 million households with at least an upper-middle-class income, it's even higher.
What's interesting is that about half of the US have nearly zero disposable income and are living paycheck to paycheck, and their entertainment is presently being paid for by their wealthier neighbors at the cost of collateral damage in advertising annoyance; This is a deadweight loss if you try to quantify that damage.
Most people aren't willing to pay their equal share of the numbers, but most people also don't have the money to pay it now.
It would be hilarious if you took the 20% of the country with plenty of disposable income and made them the subscription base for destroying advertising: it results in ads shown only to the people without the money to justify them, or sites which go subscription-only.
>- It's too expensive. There is no way my ad impressions add up to $10 a month.
Do you believe that Google's description of the way it works is inaccurate, then?
"Instead of bidding on behalf of an advertiser, Contributor bids on your behalf, with the budget you set up. The Google ad auction determines when a thank you message will appear in an ad space, and how much it will cost. In the ad auction, advertisers and Contributor bid for a given ad space in real time." [0]
Ad impressions add up to way more than that. Online content is, in aggregate, the most expensive content you consume yet you don't notice since it's free right now.
Why is Netflix, Spotify ok for $10 but not a constant stream of content from any source online? People spend 10x more on coffee every month in some areas.
From a reader's point of view it is. On the production side, HN differs greatly as newspapers have traditionally had direct relationships with their content contributors
One problem is that the traditional print model is heavily subsidized by advertising – for both the Washington Post and New York Times, it's actually cheaper to get a print subscription which comes with free all-device digital access than it is to buy any combination of digital for more than a single device.
(If the ecological cost of all of that unread paper bothers you, you can put in long-duration vacation stops or, in the case of the NYT, have your paper copy sent to a school instead)
I personally don't see print media going extinct (books certainly didn't) but I'd hypothesise that availability and convenience is more important than price for the average NYT reader.
I think this is complicated by perceived fairness: normal people do not view different formats as separate products and even people who aren't particularly price sensitive will bristle at something which they see as unfair.
Since there's no way to buy an ad-free copy of the NYT, all of their existing customers have been trained to think of the fair price as what a paper subscription costs with little thought about how much of that is subsidized by advertisers.
Even high-income people are sensitive to these effects – Doc Searls wrote about a similar problem where the New Yorker's intro pricing made him feel like he was being ripped off, even though I'm certain the cost isn't a noticeable financial issue for him:
I've posted about this before, but charging people to remove ads is a difficult business proposition. It disproportionately devalues the remaining ad impressions. Advertisers aren't likely to pay much to reach the people who are, almost by definition, either too cheap to buy a pass or not invested enough in the site to care. It also creates dangerous incentives: the site will make more short-term revenue in proportion to how annoying the ads are, and the core readers won't even see them to complain.
In practice, I think you'd be limited to selling network ads, which don't pay very much and rely on tracking users and building profiles to serve them targeted ads.
> Advertisers aren't likely to pay much to reach the people who are, almost by definition, either too cheap to buy a pass or not invested enough in the site to care
Are you speaking from experience and/or data, or based on logical reasoning? I'm honestly curious, so I hope this doesn't come across as a digital call-out of some kind.
To elaborate, I feel like a lot of people don't pay for news, or written content, because they expect (and can get it) for free. That doesn't mean they're not good potential widget customers.
I'm curious as to what kind of inferences advertisers make / have made about users based on their specific spending patterns. For example, while I'm sure that generally speaking someone who pays for service X may be more likely than average to pay for service Y, I would also expect that variance to grow or shrink a lot depending on the specific circumstances.
I haven't specifically tried that exact approach, but I have a fair bit of experience with ad-supported news sites.
> I feel like a lot of people don't pay for news ... That doesn't mean they're not good potential widget customers.
I'm having a hard time thinking of any advertiser who would be happy about excluding the sort of dedicated reader who is willing to pay for content online. I'm not saying the remaining ad impressions are "bad" just that they are objectively less valuable. That's why this scheme disproportionately devalues ad impressions: you remove the direct impressions from people who buy a pass and you also make the remaining impressions less valuable.
A paywall subscription consolidator would indeed be a nice thing to have. Not sure the newspapers would give up their subscriber contact info to a 3rd party though, without some strong guarantees of privacy and continued access for internal purposes.
Check out Blendle[0] - Dutch company moving to the US soon[1] (launched in Netherlands and Germany). Can't vouch for it myself but was on HN yesterday.
I have to disable JavaScript for NYT, every time I click or double click words in an article (I'm copying and pasting to reference things myself, thanks very much NYT!) they hijack my clicks and change the font size or switch articles.
Just to list some ways that advertising is better than subscriptions:
- Free, obviously
- No willpower/decision required
- Faster (due to no decision as above)
- More equal access (as wealth/income don't determine how much content you get)
- Anonymous (yes more than payments which come with your cc number, address, etc)
I do think online ad formats have gotten worse but the model itself works. It's the implementation that needs a severe restructuring today and is finally in progress due to the growing consumer power through adblocking.
I think the fundamental problem is that these companies would want to own the customer relationship, rather than simply be a branded content provider for some pay in someone else's solution.
Why aren't big online publishers more concerned about the junk that the ad networks are attaching onto their sites?
If an expert like Google can't even ensure that ads don't auto play or include sound effects, what hope is there that they can protect against malware and other dangerous content leaking in?
Many years ago, ads were very bad. Then Google got into the business and enforced clean, tasteful ads and things were good for quite some time. But then they started deteriorating again, worse every year until I finally installed adblock early this year.
Did something cause the power balance to swing back away from Google or something? If so, what?
I am not sure how I feel about the general HTTPS-ization of the web. I've used squid (http://www.squid-cache.org/) and dansguardian (http://dansguardian.org/) for nearly 15 years now. It greatly speeds up my web and keeps smut away from my family.
Yet it is becoming more and more useless everyday because of HTTPS. I used to be able to quickly fly through google maps because most of the images were in cache, even with only 1mbs internet. Then it went HTTPS only. So I started using mapquest, then it too did the same. Bing maps still allows some non HTTPS images, so I now use that sometimes.
I can see how some sites might want to be more private in nature. But news and maps websites I am not seeing the point.
Improved privacy is one benefit https provides. There are two other benefits worth considering: authentication and integrity. Without https, there is no way trust a site's identity, and no guarantees the data you're receiving was not modified in transit.
Don't forget to weigh those other two factors when judging https adoption. Your goals are understandable and worthwhile. They're also still achievable with appropriate client management software.
Consider this: in a world without https, your children could visit a valid, approved domain and be served malicious or undesirable content because someone modified the content in flight or intercepted the connection. There is literally no way for you to have any guarantee what's served to your children.
In a world with https (and appropriate client management software), you can be confident they really are only receiving approved content because the connection is authenticated and traffic cannot be modified in flight. (And your children are less easily tracked by unknown 3rd parties, to boot.)
Authentication and integrity are often forgotten when discussing https, which is unfortunate because those are two incredibly important benefits that further motivate widespread https deployment.
You can still do that with HTTPS. Squid supports HTTPS proxying. Basically, you create your own root CA, distribute it to all endpoints on your network, and use squid to MITM all connections. That's (essentially) how most corporate proxies work.
Yes, I'll be setting that up soon. But if the cert is truly bad from the website, there doesn't seem to really be an easy way to check it since squid either outright accepts it or just rejects it depending on the config.
If Squid can't proxy sites with bad certs in a reasonable way, that's Squid's problem, not a problem with HTTPS.
The fact that some open-source software can't do what you want it to do doesn't mean that there's anything wrong with other people trying to be secure. The most obvious solution would be to fix Squid, pay someone to fix it if you can't, or at the very least write a bug report to let other people know that you need it fixed.
> quickly fly through google maps because most of the images were in cache, even with only 1mbs internet. Then it went HTTPS only.
How is that related? Your browser caches files if the right headers are set. The protocol doesn't make any difference here.
The only thing you gain via external cache is potentially sharing that cache with other devices at home. But I'm not sure how realistic the improvement is - either you're looking at a one-off location, or multiple times at the same one. In the first case no caching can help, in the second you're looking at stuff multiple times anyways - just let it load the first time.
I listened to an interesting opinion on the BBC the other day that the internet wasn't fit for purpose and that no sane parent should ever allow their child on it at all[1].
Her argument is that we don't expect parents to police their children all the time in real life, shop owners have legal responsibilities to stop children accessing inappropriate products, children are stopped from purchasing alcohol in bars, etc. and yet on the internet somehow it's the parent's responsibility all the time all of a sudden. And if your child is with other people, those restrictions may be totally waived.
The problem is, it is trivial for a child to access incredibly disturbing and PTSD inducing material that is accessible to any child with ease, beheadings, murders, the most vile and disturbing porn you couldn't even imagine, all two clicks of a button away from your 11 year old.
She definitely has a point. I'm not sure what the solution is as I love the internet being open, but a huge proportion of the planet is made up of children and they can go watch ISIS behead someone or a woman shit in the mouth of a man whenever their classmate dares them.
>The problem is, it is trivial for a child to access incredibly disturbing and PTSD inducing material that is accessible to any child with ease, beheadings, murders, the most vile and disturbing porn you couldn't even imagine, all two clicks of a button away from your 11 year old.
She definitely has a point. I'm not sure what the solution is as I love the internet being open, but a huge proportion of the planet is made up of children and they can go watch ISIS behead someone or a woman shit in the mouth of a man whenever their classmate dares them.
I'd much rather have my children see that and talk to me about it because they trust me rather than not mentioning it because they worked around a web filter (which is inevitable [check out my ubuntu live usb stick, or my ssh tunnel]) and are afraid of getting in trouble.
> Her argument is that we don't expect parents to police their children all the time in real life
Up until the child starts hitting double-digit ages, we actually do expect just that. Long gone are the days of society being okay with parents letting 7-year-olds roam free and play.
Yes, it is an issue. And worse, the web has become something so important that you can't just outright deny all access to it. Yet it is still akin to dropping your child off on the wrong side of town unattended and simply "hoping for the best".
The old saying used to just be "have the family computer in a public room (living room,ect) and don't allow private access". But with every phone, tv, game console, alarm clock, whatever, all having their own web browsers, the only way to truly filter is from the single source of the ISP connection.
7 years ago I had an idea to make web filtering routers and ethernet bridges. But even then it was becoming too hard to reliably do. And I didn't want to market something for family protection that I couldn't 100% reliably guarantee works.
And most recently, a somewhat home constrained neighbor that lived by me wanted me to secure his internet "the way mine is". He was tired of fighting porn addictions. I set him up the best I could, but within a year I had gotten word that he had convinced another friend/relative to buy him a smart phone with unlimited internet access...
I'd say the number one real danger on the Internet are child predators -- and there's no sane way to protect from that, just like there's no sane way to protect from that in the real world. But education and dialogue (with your children) helps.
I'd probably be more worried about all the porn that your 11 year old watch, than the beheadings. Staying ahead of the curve wrt healthy sex ed. is a real challenge.
Caching - this is already taken care of by your browser. Desktop browsers can store GBs of cache. How does using another cache layer speed up anything?
Filtering - this can still be done by just using SNI (server names) which are part of the https handshake.
People talk about "privacy" here in this abstract way (HTTPS provides no absolute privacy), and right now there is this: https://news.ycombinator.com/item?id=10711737 at the top of HN.
I figured I'd get that response. How about this, what are you trying to be so "private" over? Is it legal or moral? Is it perhaps that web browsing and privacy are simply always going to be mutually exclusive, akin to walking out in public?
I am sure everyone that went to ashleymadison.com used proxies, wiped their history, and used HTTPS. But HTTPS didn't really help all that much did it? And how many of your "private" websites that you use are vulnerable to the same?
How do you know some sysadmin at Google isn't right now reading your gmail emails sitting on a backed up filesystem somewhere?
I am trying to do something right here, protect my family and myself. Oh and make my internet faster. But because of a huge push of people that need to do (mostly) wrong, I can no longer do what is right. Yes I am aware that some privacy is probably good. Passwords shouldn't be clear text or CC numbers. But SSL for map images and random text from a news site? Just not seeing the point. Oh and HTTPS isn't the magic bullet either: https://youtu.be/WhKBPwzhAZ4?t=4m40s
There are two reasons for me. First tech-related, second political. (main reasons anyway, there are more)
1. If you allow any website which has a login/payment/refer link to download over HTTP, you potentially lost the security game. It doesn't matter that the payment site is secure if the site that directed you to the shop was on plain HTTP and changed in flight. Making things secure by default is not solving everything, but definitely helps.
2. For keeping privacy, imagine you're doing 99% of your browsing via the default HTTP. Only connections to 1-2 servers ever go over HTTPS. Which are the connections you're trying to keep private? Now compare that to browsing 99% of the time via the default HTTPS. Which are the connections you're trying to keep private?
Privacy isn't the only argument in favour of HTTPS everywhere. There's way too much unencrypted metadata even in a HTTPS connection - just the destination IP alone gives away a lot. The main argument for me is authenticity - no one between the web server and me can inject ads or malware.
Thank you for saying that. I always thought HTTPS was only for private communication or logged sessions. Reading random stuff on news sites shouldn't be HTTPS'ed, it has too many downsides and no upside in these cases.
However, HTTP/2 is here, and it is HTTPS only. The dream is over. We're lucky -- only lucky -- that someone decided to do Let's Encrypt so I can still run a personal website without paying thousands on certificates.
Interesting. I'd never thought about the potential issues with HTTP/2 being only HTTPS based. Though seems that self signed certs could still be used or is that disallowed?
Are there any ad networks that are 100% HTTPS? HTTPS ads would work in both HTTP and HTTPS content pages, but HTTP ads may cause mixed content problems. Are the ad networks worried about HTTPS latency? Or are they just lazy? :)
A real modern ad network focused on clean, static, seamless ads. We're also probably the fastest ad network around, and soon to be one of the most privacy conscious as well.
Most typical ad networks aren't actually that capable even though the industry is called "adtech". They're built using the same copy/paste software with outsourced teams and no attention to detail other than how to jam the biggest and loudest ad on a page. Needless to say, that model isn't working anymore.
Their cert used to be an EV cert. I remember this because the address bar looked absurd as an EV cert "The Washington Post" plus the extra iconography associated with an EV cert. It took up a quarter of my URL bar on a small screen macbook.
It looks like they are using instart logic, and are on the same cert as a bunch of their other enterprise customers now.
FYI they had that because EV Certs are tied to the official company name, so if you want a more 'colloquial' name, there's a special field called something like 'doing business as'. Then the displayed green bar says:
> Official Business Name (Colloquial Business Name)
It looks like they switched their certs recently. I saw the EV cert in Chrome but not Firefox, but force-reloading the page in Firefox then showed the EV cert.
EV adds value over a domain verified certificate by claiming to verify the identity of the organisation. This is done through a background check when an EV certificate is applied for.
So if an organisation uses a non-standard domain (e.g. Microsoft purchased "SpecialXBoxPromotion.net" for some holiday discount) you could still see, via EV, that that organisation controlled that domain.
The CA system has a few warts, but Certificate Transparency, revocation lists, and oversight are helping combat that. But none of this helps or hurts EV as a concept either way.
The real issue with EV isn't with the EV concept or EV process, it is that end users don't understand EV or why it matters.
Agreed about EV, but claiming that the CA system "has a few warts" is similar to claiming Katrina "flooded over a few houses".
I consider the CA model as it exists for browsers fundamentally broken even in a world where everyone configured things perfectly and no bugs exist. It "works" today insofar as (for instance) I don't really fear using my bank, Amazon, etc. But the protection doesn't come because the CA model offers any technically strong way for you to be certain of the identity of the server on the other end. Any assurance you have is based on human factors (thus the push to EV certs - more human verification).
I'm pretty sure there isn't more wide-scale cert forgery only because it is more useful to target individuals, and possibly because those who have the ability to forge, say, Google's certs have an interest in not loudly demonstrating how broken the system is.
Given the number of root certs in everyone's browser right now from entities completely unknown to the users, I really don't understand how people have more confidence than I do.
I'm not going to disagree with you on the CA system (I'd have to understand it more), but aside from being a product of CAs, what is the issue with EV?
EV's biggest problem is DV certificate: it's hard to communicate the nuance between "controls Amazon.com" and "controls Amazon".
EV's were a positive step forward, especially with the introduction of the CA/B Forum, as after Let's Encrypt DVs only value is as an encryption mechanism (i.e. not as security, see phishing).
Those "human factors" are unavoidable - identity is a "human factor".
The integrity of EV is down to the integrity of the CA who are regulated (now) by a strict set of guidelines. So the set of CAs who can administer EVs are a much smaller subset of CAs who can give out DVs.
“This [attack] was extremely sophisticated and critically executed… It was a very well orchestrated, very clinical attack, and the attacker knew exactly what they needed to do and how fast they had to operate. All the IP addresses were from Iran. All the above leads us to one conclusion only: that this was likely to be a state-driven attack” - Melih Abdulhayoglu, Comodo Founder.
Comodo is the CA that issued the biggest percentage of certificates worldwide, they even won an award that year or the year after at RSA conference! If you take a closer look though, as Moxie did[1] - we ’re all grateful - you find out that it takes a douchebag with questionable skillset to bring down the entire infrastructure down to it’s knees. It's hilarious and tragic at the same time.
I will question the relevance of the first half of the talk (about CAs and SSL) in 2015, with TLS and the CA/B Forum.
But his main thesis about trust agility is quite spot on. I'd never considered it before, and am going to look into Convergence and TACK. He raises a fantastic question - the duration of trust is a real concern.
This is almost certainly the ads that they're talking about in this post. They don't really have any control over what kind of trackers are included in 3rd party ads. I would wager that if you reload the site at different times of the day, you'll get different numbers.
It's a sad reality of the advertising world—the people building the ads simply don't care, and the ad networks can't (or won't) do good QA.
It's a lot more complicated than that. Yes there are lots of ad networks that are crappy and don't have good QA but lots of this is down to the buyers themselves.
The big clients and agencies who do ad buys have thousands of requirements including 3rd party verification, tracking, conversion pixels, etc.
We run one of the fastest ad networks available with everything optimized to the fewest network requests, yet a single campaign from someone like ATT will mean a dozen other tags that needed to be loaded if we run their ads.
It's a lack of trust, standards and actually technical understanding that's hurting this industry the most.
What's fascinating is how fast the washington post is, and how you get different image types depending on the browser you use. Off to check out that CDN provider they use.
Does anyone else have the following issue with the footnote hotlinking on this blog post? When I click the "return" icon on a footnote to jump to the point in the text where the footnote is, I end up several lines below where I should. The sentence with the footnote is concealed by the black WaPo header bar.
I can replicate this behavior in Chrome on Ubuntu, Chrome on El Capitan, and Safari on El Capitan.
If they still aren't convinced then they weren't convincible to begin with. There's other arguments too, but if the above doesn't sway them then none of the other arguments would either.
groan Not another site claiming blockchains are the solution for everything, please! I've yet to see an actual useful blockchain usage outside of payments.
As an aside, did the font on this page bother anyone else? The lowercase "w" in particular just kept confusing me into thinking it was a word in italics and my mind kept stressing it. I looked it up, and the font-family is "Ubuntu".
Deploying HTTPS on a site with tons of legacy components, third-party dependencies and a lot of ad networks is definitely no small feat. There's a reason why most news sites are still HTTP-only.
Agreed! Fun/difficult projects aren't always the 'latest and cutting edge' ones. You can have impressive/difficult challenges SPECIALLY while getting legacy components to work with more recent technology, even though the task itself may seem 'simple' for more uhh, inexperienced, developers.
Similar story with ecommerce sites. Even Amazon still runs most of their shop experience over HTTP. From a technical perspective, switching a simple site to HTTPS-only isn't that hard. Fix mixed content warnings, update urls, etc. Ecommerce sites often use dozens of third-party vendors for things like analytics, ads, and recommendations. Making sure all of your dependencies support HTTPS can be a logistical nightmare.
I would gladly pay a netflix-like subscription that gives me a "pass" to top news sites with no advertising. I just don't want to manage a dozen subscriptions to sites and it's difficult to choose between the different options that they offer like "tablet, web, paper" "web, paper" "tablet only" etc. Just take the difficulty away and give me access to the content in whatever format I want, with an addon fee for print delivery.